CWE-863— Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.— MITRE CWE catalog
3,807 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-863page 46 of 77
- CVE-2023-5356HIGHCVSS 7.3EG 9.62024-01-12
Incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2, allows a user to abuse slack/mattermost integr…
- CVE-2023-5509MEDIUMCVSS 5.4EG 5.42023-11-20
The myStickymenu WordPress plugin before 2.6.5 does not adequately authorize some ajax calls, allowing any logged-in user to perform the actions.
- CVE-2023-5521CRITICALCVSS 9.8EG 7.32023-10-11
Incorrect Authorization in GitHub repository tiann/kernelsu prior to v0.6.9.
- CVE-2023-5553MEDIUMCVSS 6.8EG 7.62023-11-21
During internal Axis Security Development Model (ASDM) threat-modelling, a flaw was found in the protection for device tampering (commonly known as Secure Boot) in AXIS OS making it vulnerable to a sophisticated attack to bypass this prote…
- CVE-2023-5644HIGHCVSS 7.6EG 7.62023-12-26
The WP Mail Log WordPress plugin before 1.1.3 does not correctly authorize its REST API endpoints, allowing users with the Contributor role to view and delete data that should only be accessible to Admin users.
- CVE-2023-5799MEDIUMCVSS 5.4EG 5.42023-11-20
The WP Hotel Booking WordPress plugin before 2.0.8 does not have proper authorisation when deleting a package, allowing Contributor and above roles to delete posts that do no belong to them
- CVE-2023-5995HIGHCVSS 7.5EG 4.42023-12-01
An issue has been discovered in GitLab EE affecting all versions starting from 16.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the p…
- CVE-2023-6036CRITICALCVSS 9.8EG 9.82024-02-12
The Web3 WordPress plugin before 3.0.0 is vulnerable to an authentication bypass due to incorrect authentication checking in the login flow in functions 'handle_auth_request' and 'hadle_login_request'. This makes it possible for non authen…
- CVE-2023-6152MEDIUMCVSS 5.4EG 5.42024-02-13
A user changing their email after signing up and verifying it can change it without verification in profile settings. The configuration option "verify_email_enabled" will only validate email only on sign up.
- CVE-2023-6355MEDIUMCVSS 6.8EG 6.82023-12-18
Incorrect selection of fuse values in the Controller 7000 platform allows an attacker to bypass some protection mechanisms to enable local debug. This issue affects: Gallagher Controller 7000 9.00 prior to vCR9.00.231204b (distributed i…
- CVE-2023-6400HIGHCVSS 7.4EG 7.42024-03-27
Incorrect Authorization vulnerability in OpenText™ ZENworks Configuration Management (ZCM) allows Unauthorized Use of Device Resources.This issue affects ZENworks Configuration Management (ZCM) versions: 2020 update 3, 23.3, and 23.4.
- CVE-2023-6542HIGHCVSS 7.1EG 7.12023-12-12
Due to lack of proper authorization checks in Emarsys SDK for Android, an attacker can call a particular activity and can forward himself web pages and/or deep links without any validation directly from the host application. On successful …
- CVE-2023-6564MEDIUMCVSS 6.5EG 6.52024-02-08
An issue has been discovered in GitLab EE Premium and Ultimate affecting versions 16.4.3, 16.5.3, and 16.6.1. In projects using subgroups to define who can push and/or merge to protected branches, there may have been instances in which sub…
- CVE-2023-6837HIGHCVSS 8.2EG 8.52023-12-15
Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met: * An IDP configure…
- CVE-2023-6955MEDIUMCVSS 6.6EG 6.62024-01-12
A missing authorization check vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group tha…
- CVE-2023-6963MEDIUMCVSS 5.3EG 5.32024-02-05
The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to CAPTCHA Bypass in versions up to, and including, 2.0.4. This makes it possible for unauthenticated attackers to bypass the Captcha Verification of the Contact Form block…
- CVE-2023-7047MEDIUMCVSS 4.4EG 4.42023-12-21
Inadequate validation of permissions when employing remote tools and macros via the context menu within Devolutions Remote Desktop Manager versions 2023.3.31 and earlier permits a user to initiate a connection without proper execution …
- CVE-2023-7322HIGHCVSS 8.1EG 8.12025-10-30
Nagios Log Server versions prior to 2024R1 contain an incorrect authorization vulnerability. Users who lacked the required API permission were nevertheless able to invoke API endpoints, resulting in unintended access to data and actions ex…
- CVE-2024-0017MEDIUMCVSS 5.5EG 5.52024-02-16
In shouldUseNoOpLocation of CameraActivity.java, there is a possible confused deputy due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed fo…
- CVE-2024-0043HIGHCVSS 7.8EG 7.82024-05-07
In multiple locations, there is a possible notification listener grant to an app running in the work profile due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed.…
- CVE-2024-0160MEDIUMCVSS 6.8EG 6.82024-06-12
Dell Client Platform contains an incorrect authorization vulnerability. An attacker with physical access to the system could potentially exploit this vulnerability by bypassing BIOS authorization to modify settings in the BIOS.
- CVE-2024-0199HIGHCVSS 7.7EG 7.72024-03-07
An authorization bypass vulnerability was discovered in GitLab affecting versions 11.3 prior to 16.7.7, 16.7.6 prior to 16.8.4, and 16.8.3 prior to 16.9.2. An attacker could bypass CODEOWNERS by utilizing a crafted payload in an old featur…
- CVE-2024-10043LOWCVSS 3.1EG 3.12024-12-12
An issue has been discovered in GitLab EE affecting all versions starting from 14.3 before 17.4.6, all versions starting from 17.5 before 17.5.4 all versions starting from 17.6 before 17.6.2, that allows group users to view confidential in…
- CVE-2024-10109HIGHCVSS 8.3EG 8.32025-03-20
A vulnerability in the mintplex-labs/anything-llm repository, as of commit 5c40419, allows low privilege users to access the sensitive API endpoint "/api/system/custom-models". This access enables them to modify the model's API key and bas…
- CVE-2024-10173HIGHCVSS 7.3EG 7.32024-10-20
A vulnerability has been found in didi DDMQ 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the component Console Module. The manipulation with the input /;login leads to improper authenticatio…
- CVE-2024-10219MEDIUMCVSS 6.5EG 6.52025-08-13
An issue has been discovered in GitLab CE/EE affecting all versions from 15.6 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that under certain conditions could have allowed authenticated users to bypass access controls and down…
- CVE-2024-10273MEDIUMCVSS 6.5EG 6.52025-03-20
In lunary-ai/lunary v1.5.0, improper privilege management in the models.ts file allows users with viewer roles to modify models owned by others. The PATCH endpoint for models does not have appropriate privilege checks, enabling low-privile…
- CVE-2024-10275HIGHCVSS 7.3EG 7.32025-03-20
In version 1.5.5 of lunary-ai/lunary, a vulnerability exists where admins, who do not have direct permissions to access billing resources, can change the permissions of existing users to include billing permissions. This can lead to a priv…
- CVE-2024-10295HIGHCVSS 7.5EG 5.92024-10-24
A flaw was found in Gateway. Sending a non-base64 'basic' auth with special characters can cause APICast to incorrectly authenticate a request. A malformed basic authentication header containing special characters bypasses authentication a…
- CVE-2024-10306MEDIUMCVSS 5.4EG 5.42025-04-23
A vulnerability was found in mod_proxy_cluster. The issue is that the <Directory> directive should be replaced by the <Location> directive as the former does not restrict IP/host access as `Require ip IP_ADDRESS` would suggest. This means …
- CVE-2024-10953MEDIUMCVSS 4.3EG 4.32024-11-09
An authenticated data.all user is able to perform mutating UPDATE operations on persisted Notification records in data.all for group notifications that their user is not a member of.
- CVE-2024-10975HIGHCVSS 7.7EG 7.72024-11-07
Nomad Community and Nomad Enterprise ("Nomad") volume specification is vulnerable to arbitrary cross-namespace volume creation through unauthorized Container Storage Interface (CSI) volume writes. This vulnerability, identified as CVE-2024…
- CVE-2024-11176MEDIUMCVSS 5.3EG 5.32024-11-20
Improper access control vulnerability in M-Files Aino in versions before 24.10 allowed an authenticated user to access object information via incorrect evaluation of effective permissions.
- CVE-2024-1155HIGHCVSS 7.8EG 7.82024-02-20
Incorrect permissions in the installation directories for shared SystemLink Elixir based services may allow an authenticated user to potentially enable escalation of privilege via local access.
- CVE-2024-1156HIGHCVSS 7.8EG 7.82024-02-20
Incorrect directory permissions for the shared NI RabbitMQ service may allow a local authenticated user to read RabbitMQ configuration information and potentially enable escalation of privileges.
- CVE-2024-11669MEDIUMCVSS 6.5EG 6.52024-11-26
An issue was discovered in GitLab CE/EE affecting all versions from 16.9.8 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Certain API endpoints could potentially allow unauthorized access to sensitive data due to overly broad a…
- CVE-2024-11670MEDIUMCVSS 5.4EG 5.42024-11-25
Incorrect authorization in the permission validation component of Devolutions Remote Desktop Manager 2024.2.21 and earlier on Windows allows a malicious authenticated user to bypass the "View Password" permission via specific actions.
- CVE-2024-11672MEDIUMCVSS 4.3EG 4.32024-11-25
Incorrect authorization in the add permission component in Devolutions Remote Desktop Manager 2024.2.21 and earlier on Windows allows an authenticated malicious user to bypass the "Add" permission via the import in vault feature.
- CVE-2024-11680CRITICALCVSS 9.8EG 9.8⚠ KEV2024-11-26
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of th…
- CVE-2024-12148MEDIUMCVSS 4.3EG 4.32024-12-04
Incorrect authorization in permission validation component in Devolutions Server 2024.3.6.0 and earlier allows an authenticated user to access some reporting endpoints.
- CVE-2024-12196MEDIUMCVSS 6.5EG 6.52024-12-04
Incorrect authorization in the permission component in Devolutions Server 2024.3.7.0 and earlier allows an authenticated user to view the password history of an entry without the view password permission.
- CVE-2024-12247MEDIUMCVSS 4.6EG 4.62024-12-05
Mattermost versions 9.7.x <= 9.7.5, 9.8.x <= 9.8.2 and 9.9.x <= 9.9.2 fail to properly propagate permission scheme updates across cluster nodes which allows a user to keep old permissions, even if the permission scheme has been updated.
- CVE-2024-12539MEDIUMCVSS 6.5EG 6.52024-12-17
An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally no…
- CVE-2024-12831HIGHCVSS 7.8EG 6.62024-12-20
Arista NG Firewall uvm_login Incorrect Authorization Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Arista NG Firewall. An attacker must first obtain the ab…
- CVE-2024-12862MEDIUMCVSS 5.5EG 5.52025-04-21
Incorrect Authorization vulnerability in the OpenText Content Server REST API on Windows, Linux allows users without the appropriate permissions to remove external collaborators.This issue affects Content Server: 20.2-24.4.
- CVE-2024-1299MEDIUMCVSS 6.5EG 6.52024-03-07
A privilege escalation vulnerability was discovered in GitLab affecting versions 16.8 prior to 16.8.4 and 16.9 prior to 16.9.2. It was possible for a user with custom role of `manage_group_access_tokens` to rotate group access tokens with …
- CVE-2024-1307MEDIUMCVSS 6.5EG 6.52024-04-15
The Smart Forms WordPress plugin before 2.6.94 does not have proper authorization in some actions, which could allow users with a role as low as a subscriber to call them and perform unauthorized actions
- CVE-2024-13253CRITICALCVSS 9.1EG 9.12025-01-09
Incorrect Authorization vulnerability in Drupal Advanced PWA inc Push Notifications allows Forceful Browsing.This issue affects Advanced PWA inc Push Notifications: from 0.0.0 before 1.5.0.
- CVE-2024-13257MEDIUMCVSS 5.3EG 5.32025-01-09
Incorrect Authorization vulnerability in Drupal Commerce View Receipt allows Forceful Browsing.This issue affects Commerce View Receipt: from 0.0.0 before 1.0.3.
- CVE-2024-13258CRITICALCVSS 9.8EG 9.82025-01-09
Incorrect Authorization vulnerability in Drupal Drupal REST & JSON API Authentication allows Forceful Browsing.This issue affects Drupal REST & JSON API Authentication: from 0.0.0 before 2.0.13.
Map vulnerabilities like CWE-863 to your infrastructure
EchelonGraph correlates every CVE — across CWE-863 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →